Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in function gf_isom_get_track_id() #1406

Closed
mannuJoshi opened this issue Feb 8, 2020 · 1 comment
Closed

Null pointer dereference in function gf_isom_get_track_id() #1406

mannuJoshi opened this issue Feb 8, 2020 · 1 comment

Comments

@mannuJoshi
Copy link

Command-: MP4Box -crypt test.xml $POC -out test.mp4

Version-: MP4Box - GPAC version 0.8.0-rev177-g51a8ef874-master

Reproducer file-: Reproducer

GDB-:

IsoMedia import id:000034,sig:11,src:000003,op:flip4,pos:8995 - track ID 1 - media type "sdsm:mp4s"
[BS] Attempt to write 128 bits, when max is 32
                                                          
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x0               
$rcx   : 0x0               
$rdx   : 0x1               
$rsp   : 0x00007fffffff8fc0  →  0x0000000100000000
$rbp   : 0x2153            
$rsi   : 0x1               
$rdi   : 0x00005555555bff20  →  0x0000000000000000
$rip   : 0x00007ffff7b0e625  →  <gf_media_update_bitrate+389> mov DWORD PTR [rax+0x14], ecx
$r8    : 0x2               
$r9    : 0x1               
$r10   : 0x0               
$r11   : 0x00005555555c37c0  →  0x0000000000000001
$r12   : 0x2153            
$r13   : 0x00005555555bff20  →  0x0000000000000000
$r14   : 0x1               
$r15   : 0x00005555555c4460  →  0x0000000000010003
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffff8fc0│+0x0000: 0x0000000100000000	 ← $rsp
0x00007fffffff8fc8│+0x0008: 0x0000000000000000
0x00007fffffff8fd0│+0x0010: 0x0000000000002153 ("S!"?)
0x00007fffffff8fd8│+0x0018: 0x00000000000003e8
0x00007fffffff8fe0│+0x0020: 0x00007fffffff9000  →  0x0000000000000000
0x00007fffffff8fe8│+0x0028: 0x00005555555c4460  →  0x0000000000010003
0x00007fffffff8ff0│+0x0030: 0x0000000000000000
0x00007fffffff8ff8│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff7b0e618 <gf_media_update_bitrate+376> sbb    BYTE PTR [r9+r9*4-0x11], r9b
   0x7ffff7b0e61d <gf_media_update_bitrate+381> mov    edx, 0x1
   0x7ffff7b0e622 <gf_media_update_bitrate+386> mov    esi, r14d
 → 0x7ffff7b0e625 <gf_media_update_bitrate+389> mov    DWORD PTR [rax+0x14], ecx
   0x7ffff7b0e628 <gf_media_update_bitrate+392> mov    rax, QWORD PTR [r15+0x18]
   0x7ffff7b0e62c <gf_media_update_bitrate+396> mov    rcx, r15
   0x7ffff7b0e62f <gf_media_update_bitrate+399> mov    DWORD PTR [rax+0x10], ebx
   0x7ffff7b0e632 <gf_media_update_bitrate+402> mov    rax, QWORD PTR [r15+0x18]
   0x7ffff7b0e636 <gf_media_update_bitrate+406> mov    DWORD PTR [rax+0xc], ebp
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "MP4Box", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff7b0e625 → gf_media_update_bitrate()
[#1] 0x7ffff7b13cd6 → gf_import_isomedia()
[#2] 0x7ffff7b211d5 → gf_media_import()
[#3] 0x55555556df0a → mp4boxMain()
[#4] 0x7ffff74b5b97 → __libc_start_main(main=0x5555555631e0 <main>, argc=0x6, argv=0x7fffffffdfe8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdfd8)
[#5] 0x55555556321a → _start()
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00007ffff7b0e625 in gf_media_update_bitrate () from /usr/local/lib/libgpac.so.8

gef➤  bt
#0  0x00007ffff79d18fd in gf_isom_get_track_id () from /usr/local/lib/libgpac.so.8
#1  0x00007ffff7b45ef1 in gf_crypt_file () from /usr/local/lib/libgpac.so.8
#2  0x0000555555577575 in mp4boxMain (argc=0x6, argv=0x7fffffffdfb8) at main.c:5474
#3  0x00005555555796a3 in main (argc=0x6, argv=0x7fffffffdfb8) at main.c:5985

gef➤  i r
rax            0x0	0x0
rbx            0x0	0x0
rcx            0x20	0x20
rdx            0x0	0x0
rsi            0x0	0x0
rdi            0x5555555d0650	0x5555555d0650
rbp            0x7ffffffbd660	0x7ffffffbd660
rsp            0x7ffffffbd640	0x7ffffffbd640
r8             0x0	0x0
r9             0x0	0x0
r10            0x19	0x19
r11            0x7ffff79d18b5	0x7ffff79d18b5
r12            0x555555562470	0x555555562470
r13            0x7fffffffdfb0	0x7fffffffdfb0
r14            0x0	0x0
r15            0x0	0x0
rip            0x7ffff79d18fd	0x7ffff79d18fd <gf_isom_get_track_id+72>
eflags         0x10202	[ IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0

gef➤  exploitable
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (16/22)
Hash: a5cc92255fba44e928c1a0bb49438db1.a5cc92255fba44e928c1a0bb49438db1
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.
Other tags: AccessViolation (21/22)
jeanlf added a commit that referenced this issue Jun 11, 2020
@jeanlf
Copy link
Contributor

jeanlf commented Jun 11, 2020

fixed, thanks for the report

@jeanlf jeanlf closed this as completed Jun 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants